Windows suspicious Teams application related ObjectAccess event
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects suspicious access to Microsoft Teams storage locations that may indicate credential or token theft attempts.
Strategy
This rule monitors Windows event logs for object access events related to sensitive Microsoft Teams storage locations. It specifically looks for Windows Event ID 4663 (An attempt was made to access an object) where the ObjectName contains either Teams local storage level database files or Microsoft Teams Cookies. These locations store authentication tokens, session data, and other sensitive information that is valuable to attackers. Unauthorized access to these files could indicate an attempt to steal Microsoft Teams access tokens, which can be used to impersonate users, access sensitive communications, or pivot to other Microsoft 365 services.
Triage & Response
- Examine the complete object access event on
{{host}} to determine which specific Teams-related files were accessed. - Determine if the access was made by legitimate Teams processes or by unexpected applications.
- Inspect process creation events around the time of suspicious access to identify potential malware execution.
- Check for evidence of data exfiltration from the system following the suspicious access.
- Revoke and reissue all active Microsoft 365 tokens for the compromised account.
